Flash Drive Policy

2

Flash Drive Policy

Flash Drive Policy

I was wondering if anybody has a Flash Drive, Thumb Drive policy at the organization. Our agency is a Hipaa agency and we do not allow the use of flash drives. We had a few employees backup their files onto flash drives so they can take it home to do work from home.

RE: Flash Drive Policy

Quote (TheGirlOfSteel):

We had a few employees backup their files onto flash drives so they can take it home to do work from home.

If your agency does not allow the use of flash drives, do they allow you to work from home?If they allow you to work from home, then how on earth can they justify your not using flash drives? It seems to me that if the agency restricts flash-drive use based upon their worries about breaking HIPAA regs, then they should be even more worried about working from home.

RE: Flash Drive Policy

The company I work for actively promote the use of pen drives, and to some key staff, even provide them. For instance, I have just ordered 6 4GB pen drives for our sailes team to carry presentations around on.

However, at the last place I worked, they were initially discouraged. However, as more and more people got them for themselves, it was increasingly hard to police, without disabling USB ports etc.

=======================================So often times it happens that we live our lives in chainsAnd we never even know we have the key

RE: Flash Drive Policy

Sorry Santa Mufasa, I meant a couple of my employees had purchased flash drives and backed up their docs onto the flash drive without IT knowing. We just received encryption software but we are first going to test it.

Anyhoo....I am just looking for some sort of policy restricting the use of these devices. They are valuable little tools, especially for presentations...but we want (IT) to be able to control who has them and ensure that they don't take home any confidential patient information.

RE: Flash Drive Policy

Aaaah, HIPAA problems. Just get them to sign a sheet acknowledging their responsibilities to protect PII and specifically noting their use of portable storage devices to transport data to other work locations and explaining that no PII can be transported that way.

From a legal perspective, you should be covered. From a realistic perspective, if you can't trust then away from the office, why bother to trust them in the office.

-------------------------The trouble with doing something right the first time is that nobody appreciates how difficult it was - Steven Wright

RE: Flash Drive Policy

I'm sure that you can restrict the installation of any USB devices through GPO (if you run any Windows servers).

We discourage rather than restrict here. You're only allowed to have a thumb device if someone in IT has given you one. Mainly its due to the fact that we have some of our computers off the network that sometimes we have to transfer information between. With laptops and desktops coming without floppy drives (as a standard, I know you can still get them with floppies installed), I have accidentally ordered a few and their manager preferred for me to order a Flash drive instead.

The ones with encrypted software work pretty well. One of my users does use it since he travels a lot.

RE: Flash Drive Policy

I work at a hipaa agency as well, but I have never heard anything about prohibiting flash drive use. I wonder if I should have? Maybe I just signed a paper saying I wouldn't put PII on them when I started. Now I am wondering if I'm in trouble

Ignorance of certain subjects is a great part of wisdom

RE: Flash Drive Policy

If you've got a policy telling people not to take confidential data off-site without permission, I would imagine you are covered, Alex.

Our policy is configured to disable WRITE access on USB drives (XP feature, through registry/GPO), it's enabled if you're an administrator. On the few remaining 2k machines, I think we disable it completely.

Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

RE: Flash Drive Policy

I work for an Agfa company who uses Hippa and all I signed was a sheet saying I would not use any client data for personal or proprietary purposes or I'll be prosecuted. I just hooked up my portable HD so I could listen to Lynard Skynard. There is no policy on drives or copying client info here. Mainly because a large number of people work off site and need access to our server. Some even create their own DB so they don't have to connect. It seems a little barbaric to disallow use of a portable drive. Are employees allowed to use/load personal content (pictures, music, doc.'s) on their workspace/office?

RE: Flash Drive Policy

Well, this is an old discussion, but there's a point on blocking it. The office equipment's primary objective is just work, and should have priority over personal matters.

I'd never block that, the right policy for me would be an employee agreement, but I can't agree the personal documents reason: you can take you music on your mp3 player and I don't think your personal files or photos are a business matter.

Cheers,Dian

RE: Flash Drive Policy

True but if I can bring in an mp3 player what is there to say I won't just hook it up to my workstation whether to play it through the system or to copy some files? If you make a policy against thumb drives and such you do have to basically outlaw all types of extra/personal drives that can access the hardware. And truthfully unless you're uber corporate/professional or on a networked workstation why can't you put a background picture of say your wife/daughter/son/brother etc. on? True that statement is case by case but it does allow for the same argument. Then also what about internet storage space where I can upload/download whatever (including business apps/doc.'s)? This discussion does lead down a philosophical slippery slope. I'm still in favor of the legal writ saying you cannot use this information in any way unless directed so by the corp. Then that employee is personally responsible and really can't make an argument of negligence or stupidity.

RE: Flash Drive Policy

Not so. Having someone sign a slip of paper does not excuse the company from negligence if there is indeed negligence. The copmpany is charged with securing confidential information. If it does not take reasonable steps to do so, it can be called negligent.

The real catch is "reasonable steps." That would likely have to play out in a jury trial for a negligence suit. Would the jurors consider allowing thumb drives, Internet storage site uploads, portable HDDs, etc to be a reasonable action by a company charged with securing their private information? Not likely IMO, though I'm not a lawyer and am unfamiliar with any specific case-law related to this issue. If I was a juror and a HIPAA-type organization was on trial, it would be hard to convince me they weren't negligent given technological security controls available today. At no point in time should an employee's perceived "right" to play music and have a fluffy bunny wallpaper endanger the security of the corporate data.

BTW, a signed agreement for employee policy is not a writ.

MonkeylizardSometimes just a few hours of trial and error debugging can save minutes of reading manuals.

RE: Flash Drive Policy

First I believe some may have not understood what I meant.I did not mean 'writ' as to say a supeona but my boss does have "administrative jurisdiction" over me and can LEGALLY have me fired, removed and banned from this site without a lawyer (but will have one to cover all legal bases).

Quote:

"In law, a writ is a formal written order issued by a body with administrative or judicial jurisdiction." - Wiki.

Please don't take this out of context I meant writ as to say a formal agreement where both parties understand the compulsory legal response from the administration, HR and the legal party.

Quote:

"At no point in time should an employee's perceived "right" to play music and have a fluffy bunny wallpaper endanger the security of the corporate data."

I never said that it was a right and that is the key idea: if you allow your employee the ability to use such devices/sites/luxuries then you HAVE to make certain rules against their limit of interaction/exposure with said information either forcefully or legally. I was trying to make the point that if employee "A" wants case "B"'s information what is stopping "A" from doing so? If "A" has read and signed a legal agreement saying "A" will NOT download/upload/publicize/make a personal profit from any of HIIPPA's cases then "A" is responsible. The corp. will feel the backlash but that will always be. If I go on site to fix something and I decide to whip it out and urinate on the floor, OF COURSE the site will be angry at me but they will be even angrier at the corp. for hiring and sending me even though all responsibility should fall squarely on me.hopefully I've made my case clear: You can't have one (free use of mp3/thumb/portable drives) without the other (some written form limiting their use/access).

RE: Flash Drive Policy

That's cool I thought maybe I needed to explain myself little clearer than before. See whether you believe in a signed piece of paper is kind of negligible mainly because you would be deciding if the employee (Not the corp.) was in violation of any Trade Secret Acts.

Quote:

people who sign nondisclosure agreements (also known as "confidentiality agreements") promising not to disclose trade secrets without authorization from the owner. This may be the best way for a trade secret owner to establish a duty of confidentiality. Even though employees are bound under an implied duty not to disclose sensitive information...because such agreements make it clear to the employee that the company's trade secrets must be kept confidential...

Truthfully I'm all about taking personal responsibility. Everyone who has ever been hired for a job (90% of all jobs anyway) have signed a nondiscolsure form. So even if you were still saying "not guilty" on a jury case most likely your other peers may not see it the same. I mean a company can only go so far before the start Big Brother procedures right? And seeing as how there is a HUGE conservative movement, they may see it as it really is: theft of property. And stealing is stealing.

RE: Flash Drive Policy

At least the person copying data to removable flash is authorized to view the information, though I'm not suggesting that it implies data copying and certainly not taking data off site.

What I do wonder about is whether or not the patient data is being encrypted/decrypted at the client machines. Network and server operations staff have no business need to have this information accessible to them, and thus giving them some waiver shouldn't hold any water either. The same goes for developers and DBAs. When these people engage in bad behavior it happens on a wholesale scale.

That's the problem with these privacy regulations. The serious leaks seldom get plugged in actual implementations.

RE: Flash Drive Policy

Well, I just got word that with our new servers we are going to be installing a program called Credant. Anyone heard of this and has anyone run into any issues with this? This should help with the flash drives....but I still have to come up with a policy.

RE: Flash Drive Policy

Do NOT allow anyone to work at home. This will save you the trouble of whether someone saves to a flash drive, as if they do, what are they going to do with it? If they take it home, are they going to sit and watch it? If anybody questions the point, tell them about the government people who's laptops have been stolen, which in turn allows social security numbers loose on the net. Privacy is the utmost concern, especially in hipaa.

RE: Flash Drive Policy

Disallow all copying to external devices and have your legal department write up a HIPAA compliance document that every employee must acknowledge and sign (like most Medical Tech companies do). Since Credant also supports a mobile solution for your data then any argument for copying should fall into a case by case basis (e.g. Conferences, outside meetings, marketing, etc.). Allow employees to use a flash/portable device because some like I will only have music. If an employee can copy files for work related testing or other such work then you should disallow any copying files outside of approved hardware (again this is for work laptops or other hardware used in marketing or presentations). If Credant cannot monitor copying of those files then disallowing all outside hardware may be prudent ( This is not a 100% answer because of cell phones with expandable memory).

RE: Flash Drive Policy

Quote:

> no written, signed slip of paper holds any weight with me if I'm a juror if the company did not also take actual precautions to prevent unauthorized data access/transfer

No matter what you make the employees sign, you are ultimately responsible for designing, implementing, and enforcing an environment with policies that will treat PHI accordingly. If you make everyone sign a paper that says "don't do this" but then look the other way when they do, you are responsible.

Quote:

In the UK, you just might find yourself being directed by the judge on this; UK jurors are not allowed to make up the law to suit their views.

It's not a matter of US jurors making up the law. It's the way the law was written. HIPAA says that PHI has to be protected, that reasonable measures should be made to protect the data, that there has to be ways to restrict data so that only the people who need it to do their jobs get access to it, there has to be an officer in the company to monitor compliance, etc. It's specific in some areas, but when it comes to technological requirements it is quite vague. There's an upside and a downside to this.

The upside is that you will be required to take actions that are considered reasonable in the current environment. Many financial institutions continued to use 56-bit encryption algorithms for decades after they had been proven insecure because that was what was mandated. If the law is vague then it pretty much comes down to requiring you to implement current best practices. It would certainly be possible to take things to an even more secure/protected level, but at a cost that would make it impossible to implement in a useful mannger. So the law doesn't require the strongest security, it just wants best practices.

The downside is that there is a lot of ambiguity there, which means that there's a lot of room for interpretation by a jury (or whoever else). What might be considered industry standard best practices by a large metropolitan hospital may not be feasible in a small, rural hospital. So which standard is used?

But back to the question, at the hospital where I was responsible for data security we had a written policy, signed by the users, requiring that they treat PHI as protected and that they wouldn't transfer it outside the company except through secured/encrypted means, and only to people/ogranizations with whom the hospital had parternship agreements, and then only to people who required that information to perform their job duties.

We did not allow people to use portable storage devices (thumb drives, USB hard disk, iPods) and connect them to PCs. At first the policy was only stated and then enforced when it came to our attention that users had brought in such a device. Eventually we had to lock it down via GPO.

We did allow people to work from home, but only under limited circumstances. They could use a company provided laptop if they had one assigned to them, or they could check one out. All laptops ran with full-disk encryption so that the data was secured if the device was lost or stolen. Users could also work remotely by using a VPN connection to a terminal server that had applications installed on it. This ensured that even though they were working remotely the information was still stored on hospital-controlled systems and was encrypted in transit. Under no circumstances were people allowed to transmit PHI via email, even to another internal email address (it's too easy to forward it outside the company).